1.
Identity Access Management
(IAM):
Used to control Identity
(who) Access (what AWS resources).
1.1.
Features:
1.1.1.
Centralized User Access Control.
1.1.2.
Shared access to AWS account.
● Grant other people permission
to administer and use resources in your AWS account.
1.1.3.
Grant Permission.
1.1.4.
Multifactor Authentication
● Security token based, TOTP
based, Support hardware or virtual MFA device
● SMS Text Message based, not
recommended now.
● U2F security key. A device
that you plug into a USB port on your computer. U2F is an open authentication
standard hosted by the FIDO Alliance.
● MFA can be enabled for API
calls if AWS services support Temporary Security Credential.
1.1.5.
Identity federation.
● IAM identity providers instead
of creating IAM users
● Web Identity Federation use
STS service with the AssumeRoleWithWebIdentity
action to request temporary security credentials.
● Web Identity Federation with
Cognito
● SAML 2.0-based Federation
(Windows Active Directory or OpenLDAP) use
STS service with the AssumeRoleWithSAML
action to request temporary security credentials.
● IAM supports IdPs that are
compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup
Language 2.0).
● Custom Identity broker
Federation If the Organization doesn’t support SAML compatible IdP. Use AWS
Security Token Service AssumeRole (recommended)
or GetFederationToken expiration
period of 36 hours) to obtain temporary security credentials.
1.1.6.
Secure access to AWS resources for applications that run on Amazon EC2
1.1.7.
Password Policy.
● Minimum password length
● Require at least one uppercase
letter
● Require at least one lowercase
letter
● Require at least one number
● Require at least one
non-alphanumeric character
● Allow users to change their
own password
● Enable password expiration
● Prevent password reuse
● Password expiration requires
administrator reset
1.1.8.
Eventually Consistent.
1.1.9.
Integrate AWS services.
1.1.10.
Credential Report
● Lists all users and the status
of their various credentials, including passwords, access keys, and MFA
devices.
● Credential reports to assist
in your auditing and compliance efforts.
● Credential report as often as
once every four hours.
1.1.11.
PCI DSS or Payment Card Industry Data Security Standard (PCI DSS) compliant.
1.2.
Identities:
1.2.1.
Uses:
● Represent a user or service
interact with AWS, Typically referred to as a service account.
● An ARN for an IAM user might
look like arn:aws:iam::account-ID-without-hyphens:user/Richard
● By default, a brand new IAM
user has no permissions.
● Lose or forget passwords or
access keys, cannot retrieve them from IAM. Instead If IAM user password, ask
administrator to reset your password for access keys generate new
1.2.2.
Group: IAM group is a collection of IAM users.
1.2.3.
Role:
● identity with permission
policies that determine what the identity can and cannot do in AWS. Delegate access to users, applications, or services
●
Trust Policy A document in JSON
format in which you define who is allowed to assume the role.
●
Permission Policy a document in JSON
format in which you define what actions and resources the role can use
1.2.4.
Temporary Credentials
●
AWS Security Token Service (AWS STS)
to create and provide trusted users with temporary security credentials that
can control access to your AWS resources.
●
Temporary security credentials work
almost identically to the long-term access key credentials that your IAM users
can use, with the differences Temporary security credentials are short-term,
Temporary security credentials are not stored with the user but are generated
dynamically and provided to the user when requested
●
Do not have to distribute or embed
long-term AWS security credentials with an application.
●
1.2.5.
Root user:
1.2.6.
Policies:
●
A JSON document about permission as
Effect, Action, Resources statement.
●
Policies can be Resources based or
Identity based
●
Managed (AWS/Customer) or Inline
Policies.
●
Identity based attached to
User/Group/Role.
●
Resource based attached to AWS
resources as inline policy only
●
User policy can be Bucket Policy or
User Policy or both.
1.3.
Uses Cases:
1.3.1.
Access AWS using console require user password credential.
1.3.2.
Access AWS using CLI require access key (key id + Secret)
1.3.3.
SSH key access for CodeCommit
1.3.4.
Server Certificate to authenticate with services. Https only.
1.4.
Limits:
1.4.1.
IAM User per Account 5000
1.4.2.
IAM Group per Account 300
1.4.3.
IAM Role per account 1000
1.4.4.
Managed policies attached to an IAM role is 10
1.4.5.
Managed policies attached to an IAM user 10
1.4.6.
Instance profiles in an AWS account 1000
1.4.7.
Server certificates stored in an AWS account 20
1.4.8.
Access keys assigned to an IAM user 2
1.4.9.
IAM user can be member of 10 Group
1.4.10.
managed policy cannot exceed 6,144 characters.
1.4.11.
Inline User policy size cannot exceed 2,048 characters
1.4.12.
Inline Role policy size cannot exceed 10,240 characters
1.4.13.
Inline Group policy size cannot exceed 5,120 characters
1.5.
Tips:
1.5.1.
User permission must be given explicitly.
1.5.2.
AM User cannot be renamed from AWS management console can be done using
CLI or SDK tools. Need handle the renaming in the policies where the user was
mentioned as a resource
1.5.3.
2.
Virtual Private Cloud (VPC):
The original release of Amazon EC2 supported a single,
flat network that's shared with other customers called the EC2-Classic
platform. Earlier AWS accounts still support this platform, and can launch
instances into either EC2-Classic or a VPC
2.1.
Features:
2.1.1.
Dedicated(logically isolated) virtual network on AWS.
2.1.2.
EC2-VPC platform comes with a default VPC that has a default subnet in
each Availability Zone
2.1.3.
Default VPC includes an internet gateway, and each default subnet is a
public subnet.
2.1.4.
Each instance launch into a default subnet has a private IPv4 address and
a public IPv4 address
2.1.5.
Enable internet access for an instance launched into a non-default subnet
by attaching an internet gateway to its VPC & associating an Elastic IP address with the
instance
2.2.
Components:
2.2.1.
Subnet
● Allowed CIDR block size is
between /28(2^4) - /16(2^16)
● Subnet's traffic is routed to
an internet gateway, the subnet is known as a public subnet.
● VPN-only subnet, doesn't have
a route to the internet gateway, but has its traffic routed to a virtual
private gateway.
● Currently, we do not support
IPv6 traffic over a Site-to-Site VPN connection
● Five reserved IP addresses are 10.0.0.0:
Network address, 10.0.0.1: Reserved by AWS for the VPC router, 10.0.0.2:
Reserved by AWS for DNS purpose. 10.0.0.3: Reserved by AWS for future use,
10.0.0.255: Network broadcast address
● Can associate a single IPv6
CIDR block with an existing VPC in your account, or when you create a new VPC.
The CIDR block uses a fixed prefix length of /56.
2.2.2.
Route table:
● Contains a set of rules,
called routes, that are used to determine where network traffic is directed
● VPC automatically comes with a
main route table that you can modify.
● cannot delete the main route
table,
● A subnet can only be
associated with one route table(main or custom) at a time, but you can
associate multiple subnets with the same route table,
● On creation subnets
Automatically associated with the main route table for the VPC.
● Every route table contains a
local route for communication within the VPC over IPv4. If your VPC has more
than one IPv4 CIDR block, your route tables contain a local route for each IPv4
CIDR block
● Route table must be updated
for any subnet that uses gateways like Internet gateway, an egress-only
Internet gateway, a virtual private gateway, a NAT device,
● a peering connection, or a VPC
endpoint in your VPC
● most specific route wins
● ClassicLink is a feature that
enables you to link an EC2-Classic instance to a VPC
2.2.3.
Elastic Network Interface (ENI)
● virtual network interface can
include the following attributes:
○ primary private IPv4 address
○ one or more secondary private
IPv4 addresses
○ one Elastic IP address per
private IPv4 address
○ one public IPv4 address, which
can be auto-assigned to the network interface for eth0 when you launch an
instance
○ one or more IPv6 addresses.
○ one or more security groups
○ MAC address
○ source/destination check flag
○ Description
● Each instance in your VPC has
a default network interface (the primary network interface).
● Cannot detach a primary
network interface from an instance
● Use Cases
○ Create a management network.
○ Use network and security
appliances in your VPC.
○ Create dual-homed instances
with workloads/roles on distinct subnets
○ Create a low-budget,
high-availability solution.
2.2.4.
Security group
● security group acts as a virtual firewall for your instance to control
inbound and outbound traffic.
● An instance can be assigned 5 security groups
with each security group having 50 rules
● Security groups act at the
instance level, grant access to a specific CIDR range, or to another security
group in the VPC or in a peer VPC
● can specify allow rules, but
not deny rules
● don't specify a particular
group at launch time, the instance is automatically assigned to the default
security group for the VPC
● By default, a security group
includes an outbound rule that allows all outbound traffic.
● Security groups are stateful —
if you send a request from your instance,
the response traffic for that request is allowed to flow in regardless of
inbound security group rules
● A security group name cannot
start with sg-
● security group name must be
unique within the VPC.
● Names and descriptions can be
up to 255 characters in length.
● Names and descriptions are
limited to the following characters: a-z, A-Z, 0-9, spaces, and
._-:/()#,@[]+=&;{}!$*.
● Security groups are evaluated
as a Whole or Cumulative bunch of rules with the most permissive rule taking
precedence.
● Security groups are associated
with ENI (network interfaces).
● Security groups are Stateful
and they use Connection tracking to track information about traffic to and from
the instance.
● Stale Security Group, VPC has
a VPC peering connection with another VPC, a security group rule can reference another
security group in the peer VPC. This allows instances associated with the
referenced security group to communicate with instances associated with the
referencing security group.
● can't use the security groups
that you've created for use with EC2-Classic with instances in your VPC
● Changes applied Immediately to
the All instances.
2.2.5.
NACL
● A network access control list (ACL) is an optional layer of security
for your VPC that acts as a firewall for controlling traffic in and out of one
or more subnets.
● VPC automatically comes with a
modifiable default network ACL. By default, it allows all inbound and outbound
traffic
● Each subnet in your VPC must
be associated with a network ACL. If you don't explicitly associate a subnet
with a network ACL, the subnet is automatically associated with the default
network ACL.
● A network ACL has separate
inbound and outbound rules, and each rule can either allow or deny
traffic.
2.2.6.
Internet Gateway
● horizontally scaled,
redundant, and highly available VPC component that allows communication between
instances in your VPC and the internet.
● An internet gateway serves two
purposes: to provide a target in your VPC route tables for internet-routable
traffic, and to perform network address translation (NAT) for instances that
have been assigned public IPv4 addresses.
● An internet gateway supports
IPv4 and IPv6 traffic.
● Network ACLs are stateless;
responses to allowed inbound traffic are subject to the rules for outbound
traffic (and vice versa).
2.2.7.
Nat Gateway
● NAT device to enable instances
in a private subnet to connect to the internet or other AWS services, but
prevent the internet from initiating connections with the instances. NAT device
forwards traffic from the instances in the private subnet to the internet or
other AWS services, and then sends the response back to the instances. When
traffic goes to the internet, the source IPv4 address is replaced with the NAT
device’s address and similarly, when the response traffic goes to those
instances, the NAT device translates the address back to those instances’
private IPv4 addresses.
● NAT devices are not supported
for IPv6 traffic—use an egress-only Internet gateway instead
● Needs to be launched in the
Public Subnet
● Needs to be associated with an
Elastic IP address or public IP address
● Source/Destination flag
disabled
● Associated Security group
allows Outbound Internet traffic from instances in the private subnet and
disallows Inbound Internet traffic
● Route table configured to
direct Internet traffic to the NAT device
● AWS offers two kinds of NAT
devices—a NAT gateway(recommended) or a NAT instance.
● NAT gateways is recommend, as
they provide better availability and bandwidth over NAT instances.
○ Net Gateway NAT gateway is a
AWS managed.
○ A NAT gateway supports 5 Gbps
of bandwidth and automatically scales up to 45 Gbps. If require more, distribute the workload by
splitting resources into multiple subnets, and creating a NAT gateway in each
subnet.
○ Exactly one Elastic IP address
associate with a NAT gateway, cannot disassociate an Elastic IP address from a
NAT gateway after it's created. To use a different Elastic IP address create a
new NAT gateway
○ NAT gateway supports the
following protocols: TCP, UDP, and ICMP
○ A private IP address from the
IP address range of subnet automatically assigned to NAT gateway when created
○ A NAT gateway cannot be
accessed by a ClassicLink connection.
○ A NAT gateway can support up
to 55,000 simultaneous connections to each unique destination.
○ NAT gateway cannot send
traffic over VPC endpoints, AWS Site-to-Site VPN connections, AWS Direct
Connect, or VPC peering connections. If instances in the private subnet must
access resources over a VPC endpoint, a Site-to-Site VPN connection, or AWS
Direct Connect, use the private subnet’s route table to route the traffic
directly to these devices.
○ Amazon provides Amazon Linux
AMIs that are configured to run as NAT instances. These AMIs include the string
amzn-ami-vpc-nat in their name
○ NAT Instance High Availability
can be achieved by creating one NAT instance per availability zone, Private
subnet route tables to the same zone NAT instance, Configure Auto Scaling group
with min and max size set of 1
Attribute
|
NAT gateway
|
NAT instance
|
Availability
|
Highly available. NAT gateways in each
Availability Zone are implemented with redundancy. Create a NAT gateway in
each Availability Zone to ensure zone-independent architecture.
|
Use a script to manage failover between
instances.
|
Bandwidth
|
Can scale up to 45 Gbps.
|
Depends on the bandwidth of the instance
type.
|
Maintenance
|
Managed by AWS
|
Managed by you
|
Performance
|
Software is optimized for handling NAT
traffic.
|
A generic Amazon Linux AMI that's configured
to perform NAT.
|
Cost
|
Charged depending on the number of NAT
gateways you use, duration of usage, and amount of data that you send through
the NAT gateways.
|
Charged depending on the number of NAT
instances that you use, duration of usage, and instance type and size.
|
Type and size
|
Uniform offering; you don’t need to decide on
the type or size.
|
Choose a suitable instance type and size,
according to your predicted workload.
|
Public IP
addresses
|
Choose the Elastic IP address to associate
with a NAT gateway at creation.
|
Use an Elastic IP address or a public IP
address with a NAT instance. You can change the public IP address at any time
by associating a new Elastic IP address with the instance.
|
Private IP
addresses
|
Automatically selected from the subnet's IP
address range when you create the gateway.
|
Assign a specific private IP address from the
subnet's IP address range when you launch the instance.
|
Security
groups
|
Cannot be associated with a NAT gateway. You
can associate security groups with your resources behind the NAT gateway to
control inbound and outbound traffic.
|
Associate with your NAT instance and the
resources behind your NAT instance to control inbound and outbound
traffic.
|
Network
ACLs
|
Use a network ACL to control the traffic to
and from the subnet in which your NAT gateway resides.
|
Use a network ACL to control the traffic to
and from the subnet in which your NAT gateway resides.
|
Flow logs
|
Use flow logs to capture the traffic.
|
Use flow logs to capture the traffic.
|
Port forwarding
|
Not supported
|
Manually customize the configuration to
support port forwarding.
|
Bastion servers
|
Not supported.
|
Use as a bastion server.
|
Timeout behavior
|
When a connection times out, a NAT gateway
returns an RST packet to any resources behind the NAT gateway that attempt to
continue the connection (it does not send a FIN packet).
|
When a connection times out, a NAT instance sends
a FIN packet to resources behind the NAT instance to close the
connection.
|
IP fragmentation
|
Supports forwarding of IP fragmented packets
for the UDP protocol. Does not support fragmentation for the TCP and ICMP
protocols.
|
Supports reassembly of IP fragmented packets
for the UDP, TCP, and ICMP protocols.
|
2.2.8.
Egress-Only Internet Gateways:
● Egress-only Internet gateway
is a horizontally scaled, redundant, and highly available VPC component allows
outbound communication over IPv6 from instances in VPC to the Internet, and
prevents the Internet from initiating an IPv6 connection with instances.
● An egress-only Internet
gateway is for use with IPv6 traffic only
● Cannot associate a security
group with an egress-only Internet gateway. use security groups for instances
in the private subnet to control the traffic to and from those instances.
● network ACL to control the
traffic to and from the subnet for which the egress-only Internet gateway
routes traffic.
2.2.9.
DHCP Option Sets
● Dynamic Host Configuration
Protocol (DHCP) provides a standard for passing configuration information to
hosts on a TCP/IP network. The options field of a DHCP message contains the
configuration parameters. Some of those parameters are the domain name, domain
name server, and the netbios-node-type
2.2.10.
DNS
● Launch an instance into a
default VPC, AWS provide the instance with public and private DNS hostnames
that correspond to the public IPv4 and private IPv4 addresses for the instance
● Launch an instance into a
nondefault VPC, aws provide the instance with a private DNS hostname and might
provide a public DNS hostname, depending on the DNS attributes
enableDnsHostnames, enableDnsSupport specified for the VPC and if instance has
a public IPv4 address
● custom DNS domain names
defined in a private hosted zone in Amazon Route 53, the enableDnsHostnames and
enableDnsSupport attributes must be set to true.
● Amazon EC2 instance limits the
number of packets that can be sent to the Amazon-provided DNS server to a
maximum of 1024 packets per second per network interface. This limit cannot be
increased. The number of DNS queries per second supported by the
Amazon-provided DNS server varies by the type of query, the size of response,
and the protocol in use
2.2.11.
VPC Endpoint
● VPC endpoint enables creation
of a private connection between VPC and another AWS service using its private
IP address
● VPC endpoint services powered
by PrivateLink without requiring an internet gateway, NAT device, VPN
connection, or AWS Direct Connect connection.
● Traffic between your VPC and
the other service does not leave the Amazon network.
● Endpoints are virtual devices.
They are horizontally scaled, redundant, and highly available VPC components
that allow communication between instances in your VPC and services without
imposing availability risks or bandwidth constraints
● Two types of VPC endpoints: interface endpoints and gateway endpoints.
● An interface endpoint is an elastic network interface with a
private IP address that serves as an entry point for traffic destined to a
supported service like API Gateway,CloudFormation,CloudWatch, CodeBuild, AWS
Config, EC2 API, ELB API, SQS, SNS, KMS, Kenissi and others.
● A gateway endpoint is a gateway that is a target for a
specified route in your route table, used for traffic destined to a supported
AWS service like S3, DynamoDB.An endpoint route is automatically deleted when
you remove the route table association from the endpoint (by modifying the
endpoint), or when you delete
endpoint.
● Endpoint cannot be created between a VPC and an AWS service
in a different region.
● Endpoint cannot be transferred from one VPC to another, or
from one service to another
2.2.12.
VPC peering
● VPC peering connection is a
networking connection between two VPCs that enables you to route traffic
between them privately.
● create a VPC peering
connection between own VPCs, with a VPC in another AWS account, or with a VPC
in a different AWS Region.
● VPC peering connection cannot
be created between VPCs that have matching or overlapping CIDR blocks.
● Transitive peering is not
support.
● PC peering does not support
Edge to Edge Routing Through a Gateway or Private Connection. In a VPC peering
connection, the VPC does not have access to any other connection that the peer
VPC may have and vice versa
● Only one VPC peering
connection can be established between the same two VPCs at the same time
● Maximum Transmission Unit
(MTU) across the VPC peering connection is 1500 bytes (jumbo frames are not
supported).
● Instance’s public DNS hostname
does not resolve to its private IP address across peered VPCs.
2.2.13.
Elastic IP Address
● Elastic IP address is a static, public IPv4 address designed for dynamic
cloud computing.
● do not support Elastic IP
addresses for IPv6
● If associate an Elastic IP
address with the eth0 network interface of the instance, its current public
IPv4 address (if it had one) is released to the EC2-VPC public IP address pool.
If you disassociate the Elastic IP address, the eth0 network interface is
automatically assigned a new public IPv4 address within a few minutes. This
doesn't apply if you've attached a second network interface to your
instance.
● There are differences between
an Elastic IP address that you use in a VPC and one that you use in EC2-Classic
● can move an Elastic IP address
from one instance to another. The instance can be in the same VPC or another
VPC, but not in EC2-Classic
● Elastic IP addresses remain
associated with AWS account until explicitly released.
● Small hourly charge applied
when EIP aren't associated with a running instance, or when they are associated
with a stopped instance or an unattached network interface
● limited to five Elastic IP
addresses
● In EC2-Classic An Elastic IP
is disassociated from your instance when you stop it.
● In EC2-Classic associate an
Elastic IP address with an instance.
● In Ec2-Classic Elastic IP
address is already associated with another instance, the address is
automatically associated with the new instance.
● cannot apply tags to an
Elastic IP address in EC2-Classic
2.2.14.
Classiclink
● ClassicLink allows to link an
EC2-Classic instance to a VPC in account, within the same region. This allows
to associate the VPC security groups with the EC2-Classic instance, enabling
communication between EC2-Classic instance and instances in VPC using private
IPv4 addresses. ClassicLink removes the need to make use of public IPv4
addresses or Elastic IP addresses to enable communication between instances in these
platforms
● ClassicLink is available to
all users with accounts that support the EC2-Classic platform
● There is no additional charge
for using ClassicLink
2.2.15.
Bastion Host
● Bastion hosts (also called
“jump servers”) are often used as a best practice for accessing privately
accessible hosts
● Bastion host is deployed in
the Public subnet and acts as a proxy or a gateway between you and your
instances
● Bastion host allows you to
login to instances in the Private subnet securely without having to store the
private keys on the Bastion host (using ssh-agent forwarding or RDP gateways)
2.2.16.
VPN Connections
● AWS Site-to-Site VPN, create IPsec VPN connection between VPC and
remote network. A virtual private gateway provides two VPN endpoints (tunnels)
for automatic failover. customer gateway on the remote side of the Site-to-Site
VPN connection.
● AWS Client VPN is a managed
client-based VPN service that enables to securely access AWS resources in your
on-premises network.
● AWS VPN CloudHub create
multiple AWS Site-to-Site VPN connections via your virtual private gateway to
enable communication between these networks
● Third party software VPN
appliance, create a VPN connection to your remote network by using an Amazon
EC2 instance in your VPC that's running a third party software VPN appliance.
AWS does not provide or maintain third party software VPN appliances; however,
you can choose from a range of products provided by partners and open source
communities
● AWS Direct Connect provides a
dedicated private connection from a remote network to your VPC.
● A virtual private gateway is
the VPN concentrator on the AWS side of the VPN connection
● A customer gateway is a
physical device or software application on customer side of the VPN connection.
● CGW must initiate the tunnels
● Type of routing can depend on
the make and model of VPN devices. Static Routing If your device does not
support BGP(Border Gateway Protocol).BGP-capable devices are recommended as the
BGP protocol offers robust liveness detection checks that can assist failover
to the second VPN tunnel if the first tunnel goes down.
● Only IP prefixes known to the
virtual private gateway, either through BGP advertisement or static route
entry, can receive traffic from your VPC
● Virtual private gateway does
not route any other traffic destined outside of the advertised BGP, static
route entries, or its attached VPC CIDR.
3.
EC2
4.
S3
5.
RDS
6.
SQS